Caddy Path Sanitization Bypass via Backslashes (v<2.11.1)
CVE-2026-27585 Published on February 24, 2026
Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
Weakness Type
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2026-27585
Want to know whenever a new CVE is published for Caddy Server Caddy Web Server? stack.watch will email you.
Affected Versions
caddyserver caddy Version < 2.11.1 is affected by CVE-2026-27585Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.